harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat(sops): trigger service restarts on secret rotation

Browse source 
Wire up restartUnits on secrets whose consumers cache them in memory
(daemons read at startup), so sops-nix restarts the affected unit on
activation when the decrypted content changes:

- firefly: app_key → phpfpm-firefly-iii;
  auto_import_secret + access_token → phpfpm-firefly-iii-data-importer
- searx: secret_key → uwsgi
- opencode: web password → opencode-serve
- mail: sasl_passwd → postfix
- forgejo: gitea_dbpass → forgejo; runner-token → gitea-runner-default

Secrets read on demand by oneshots/timers (firefly sparda_pin, ntfy
token, restic backup creds, acme dns creds, wg conf) are left as-is.
This commit is contained in:
Harald Hoyer 2026-05-03 15:23:40 +02:00
parent 59480cdc79
commit 01f42c0851
5 changed files with 11 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
systems/x86_64-linux/sgx/firefly.nix
View file

@ -31,6 +31,7 @@ in
"firefly/app_key" = {
sopsFile = ../../../.secrets/sgx/firefly.yaml;
owner = "firefly-iii";
restartUnits = [ "phpfpm-firefly-iii.service" ];
};
"firefly/sparda_pin" = {
sopsFile = ../../../.secrets/sgx/firefly.yaml;
@ -39,10 +40,12 @@ in
"firefly/auto_import_secret" = {
sopsFile = ../../../.secrets/sgx/firefly.yaml;
owner = "firefly-iii-data-importer";
restartUnits = [ "phpfpm-firefly-iii-data-importer.service" ];
};
"firefly/access_token" = {
sopsFile = ../../../.secrets/sgx/firefly.yaml;
owner = "firefly-iii-data-importer";
restartUnits = [ "phpfpm-firefly-iii-data-importer.service" ];
};
};

1
systems/x86_64-linux/sgx/mail.nix
View file

@ -21,6 +21,7 @@
sops.secrets.sasl_passwd = {
sopsFile = ../../../.secrets/sgx/relay.yaml; # bring your own password file
owner = config.services.postfix.user;
restartUnits = [ "postfix.service" ];
};
}

1
systems/x86_64-linux/sgx/opencode.nix
View file

@ -42,5 +42,6 @@ in
sops.secrets.opencode-web-password = {
sopsFile = ../../../.secrets/sgx/opencode-web.yaml;
owner = user;
restartUnits = [ "opencode-serve.service" ];
};
}

5
systems/x86_64-linux/sgx/searx.nix
View file

@ -1,6 +1,9 @@
{ pkgs, config, ... }:
{
sops.secrets."searx/secret_key".sopsFile = ../../../.secrets/sgx/searx.yaml;
sops.secrets."searx/secret_key" = {
sopsFile = ../../../.secrets/sgx/searx.yaml;
restartUnits = [ "uwsgi.service" ];
};
services.searx = {
enable = true;